Custom JACC Example for JBoss Portal 2.2
This wiki contains a sample PortalJaccPolicy class that demonstrates how you can override
the standard portal security implementation with authorization checks of your own. This wiki assumes you've already read: http://docs.jboss.com/jbportal/v2.2/reference-guide/en/html/security.html and you want to actually override the "implies" method in the PortalJaccPolicy class.
Brief JBoss Portal 2.2 Security Summary
By default, authentication actually occurs in org.jboss.portal.core.security.jaas.ModelLoginModule. This JAAS extension class authenticates the user.
Portal authorization starts with a copy of the app server's default JACC implementation class that's re-packaged in the jboss-portal.sar, org.jboss.portal.security.impl.jacc.PortalJaccPolicy, and it doesn't do any authorization. These 3 external permission type classes are actually JACC extensions that handle the authorization for access to various portal framework objects:
Each class handles the appropriate permission association at the appropriate portal object level. So, the PortalObjectPermission class handles authorization of portal objects, InstancePermission handles portlet instances, etc...
Custom PortalJaccPolicy Sample
Attached is a zip file that contains a PortalJaccPolicy.java file and build scripts that'll deploy the custom portal JACC implementation to a JBoss Portal 2.2 server. Key features include:
Overrides the implies() method and calls a silentAuthorization() method
silentAuthorization() method checks a properties file for portal object definitions for an "Adminstrator" role. This is a bit hard-coded, but the intention is to demonstrate that this JACC override will actually work.
Properties file key=role
Properties file value=comma separated list of portlets and portal pages user has access to
You can delete entries from the properties file and see the portal tabs dissapear.
Also, you can create a new portal page
Add a portlet window and portlet instance to that portal page
Change the permissions so that all cannot "VIEW"
Add the portal objects to the properties file portal object value list
Hit the portal page and see that you now have access
Keep an eye on this forum because any changes/enhancements to the current JACC implementation are likely to be hashed out here: http://jboss.com/index.html?module=bb&op=viewtopic&t=73586&start=0&postdays=postDays&postorder=postOrder&highlight=highlight.